I installed a fresh Proxmox VE 9 on top of a Debian Trixie and wanted to use the ansible dynamic inventory plugin for Proxmox. I have copied the Root CA cert generated by Proxmox (
Ansible tools are written in Python. But the homebrew-installed Python on macOS doesn't trust the macOS certificate store, but a bundle installed by certifi. So I exported the certificate from my keychain and added it to certifi's bundle with the following commands
When calling the dynamic inventory, I was greeted with the following error
I inspected the root CA, and I can see that it's indeed missing the keyUsage extension, and in particular the keyCertSign one
I can generate a certificate manually to fix this, but it feels like a bug that should be reported upstream. Should I report this in an issue tracker elsewhere?
/etc/pve/pve-root.pem) into the trust store of my admin machine, an up to date macOS laptop.Ansible tools are written in Python. But the homebrew-installed Python on macOS doesn't trust the macOS certificate store, but a bundle installed by certifi. So I exported the certificate from my keychain and added it to certifi's bundle with the following commands
Code:
$ security export \
-t certs \
-k /Library/Keychains/System.keychain \
-f pemseq \
-p >> $(python3 -m certifi)
$ set CERT_PATH "$(python3 -m certifi)"
$ export SSL_CERT_FILE=$CERT_PATH
$ export REQUESTS_CA_BUNDLE=$CERT_PATHWhen calling the dynamic inventory, I was greeted with the following error
Code:
$ ansible-inventory -i inventory/proximighty.proxmox.yaml --list
[WARNING]: * Failed to parse
/Users/thibaultmartin/Projects/infra/ansible/inventory/proximighty.proxmox.yaml with auto
plugin: HTTPSConnectionPool(host='192.168.1.200', port=8006): Max retries exceeded with url:
/api2/json/nodes (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage
extension (_ssl.c:1032)')))
[WARNING]: * Failed to parse
/Users/thibaultmartin/Projects/infra/ansible/inventory/proximighty.proxmox.yaml with yaml
plugin: Plugin configuration YAML file, not YAML inventory
[WARNING]: * Failed to parse
/Users/thibaultmartin/Projects/infra/ansible/inventory/proximighty.proxmox.yaml with ini
plugin: Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed, this
character is reserved to provide a port.
[WARNING]: Unable to parse
/Users/thibaultmartin/Projects/infra/ansible/inventory/proximighty.proxmox.yaml as an
inventory source
[WARNING]: No inventory was parsed, only implicit localhost is availableI inspected the root CA, and I can see that it's indeed missing the keyUsage extension, and in particular the keyCertSign one
Code:
root@proximighty:/etc/pve# openssl x509 -noout -text -in pve-root-ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:fe:3c:66:d8:58:2e:38:b8:c7:9a:3e:33:43:24:dc:ef:25:8c:ee
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Proxmox Virtual Environment, OU=907326c5-c7b1-4354-afa2-b0668ca41c73, O=PVE Cluster Manager CA
Validity
Not Before: Aug 15 12:06:15 2025 GMT
Not After : Aug 13 12:06:15 2035 GMT
Subject: CN=Proxmox Virtual Environment, OU=907326c5-c7b1-4354-afa2-b0668ca41c73, O=PVE Cluster Manager CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A3:3E:C8:FD:1E:AA:E7:6D:29:DC:D5:00:73:01:B4:20:85:9D:0A:37
X509v3 Authority Key Identifier:
A3:3E:C8:FD:1E:AA:E7:6D:29:DC:D5:00:73:01:B4:20:85:9D:0A:37
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
[...]I can generate a certificate manually to fix this, but it feels like a bug that should be reported upstream. Should I report this in an issue tracker elsewhere?
